State pilot shows a way to improve security while cutting costs

The State Department may have cracked a vexing cybersecurity problem.

With a program of continuous monitoring, distributed responsibility for information technology security and a focus on critical controls and vulnerabilities, the agency has significantly improved its IT security while lowering the cost, said department Chief Information Security Officer John Streufert.

The number of high-risk security vulnerabilities has been reduced by 90 percent in one year and the cost of certifying and accrediting IT systems, required under the Federal Information Security Management Act, has been cut by 62 percent by continuously updating security data, Streufert said Thursday at the 1105 Government Information security conference in Washington.

The results demonstrate that improvements can be made in IT security while complying with current FISMA requirements, he said. The improvements were made by changing policies to put responsibility for security status in the hands of local officials who have direct control of systems and using tools that use the Consensus Audit Guidelines of critical security controls in scanning networks.

“Maybe we don’t need to change FISMA, but we need to look at the word ‘annual’ as a minimum requirement,” he said.

FISMA calls for assessing IT systems for an annual snapshot of their security status, and requires the certification and accreditation of systems every three years. The act has been widely criticized for failing to produce better security even when agencies comply with requirements, and for being burdensome and expensive. Streufert said that under the certification and accreditation process, State had compiled a library of 95,000 pages of reports at a cost of $1,400 per page, totaling $130 million over six years, and that much of the data is outdated by the time it is produced.

He called State a “middling” sized department, with 70,000 network users. But it is widely distributed, with 40 locations in the continental United States and another 260 overseas. The department has experienced a 50 percent increase in reported attacks on its networks in the past year, from 2,100 in fiscal 2008 to 3,085 in 2009.

IT security officials are at a disadvantage in such an environment, Streufert said. “Our direct control over our software and infrastructure is very small.”

But penetration testing of systems showed that 80 percent of successful attacks were in known vulnerabilities. This offered a chance for improving security by targeting those vulnerabilities. In 2008 the department began a risk scoring initiative in which it monitors IT systems at each site and assigns a security grade every 36 hours on a scale of A+ to F-.

Monitoring tools use the Consensus Audit Guidelines, a set of baseline IT security controls released earlier this year by a coalition of public and private organizations, including U.S. military and intelligence agencies, intended to become a foundation for a standardized approach to securing the nation’s critical information infrastructure.

The guidelines contain 20 security controls deemed by consensus to be critical for IT systems. Fifteen of them are subject to automated measurement and validation, and five require more manual effort.

The controls subject to automated measurement and validation are:

• Inventory of authorized and unauthorized hardware.
• Inventory of authorized and unauthorized software.
• Secure configurations for hardware and software for which such configurations are available.
• Secure configurations of network devices such as firewalls and routers.
• Boundary defense.
• Maintenance and analysis of complete security audit logs.
• Application software security.
• Controlled use of administrative privileges.
• Controlled access based on need to know.
• Continuous vulnerability testing and remediation.
• Dormant account monitoring and control.
• Anti-malware defenses.
• Limitation and control of ports, protocols and services.
• Wireless device control.
• Data leakage protection.

Controls not directly supported by automated measurement and validation:

• Secure network engineering.
• Red team exercises.
• Incident response capability.
• Assured data back-ups.
• Security skills assessment and training to fill gaps.

By scoring each site and making local administrators responsible for security status, the department has been able to make use of a broader workforce than the dedicated IT security staff, Streufert said. Focusing on a set of critical controls allows work to be prioritized and done more cost effectively.

Streufert said he believes the system is scalable to other departments, but said it does not in itself ensure IT security.

“Reducing known vulnerabilities is only part of a program,” he said. “The Department of State does not look at risk scoring as a silver bullet.”